Vulnerability Description
MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by sending at least 151 simultaneous requests to the Magento website to trigger a "Too many connections" error, then use default magmi:magmi basic authentication to remotely bypass authentication.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magmi Project | Magmi | < 0.7.24 |
Related Weaknesses (CWE)
References
- https://www.tenable.com/security/research/tra-2020-51Third Party Advisory
- https://www.tenable.com/security/research/tra-2020-51Third Party Advisory
FAQ
What is CVE-2020-5777?
CVE-2020-5777 is a vulnerability with a CVSS score of 9.8 (CRITICAL). MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger t...
How severe is CVE-2020-5777?
CVE-2020-5777 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-5777?
Check the references section above for vendor advisories and patch information. Affected products include: Magmi Project Magmi.